Windows Defender AV should act the same on Server 2016 as it does on Windows 10. if the Server is enrolled to Defender ATP and third party AV is installed it should go into passive mode to ensure that it can still apply reactive protection to the Server OS as required by Defender ATP.

also, then you will be able to troubleshoot Windows Update by using the get-windowsupdatelog command!

I've to change my passwords every few weeks and must change it in every device. I’ve to write it every time while I’m working on different levels on another computer. The passwords become longer and longer and more and more complex. The topic "passwords in a company" or even on a private System needs a lot of time over a year. I have a long password with all kinds of Extras in it and I'm not that bad on a keyboard but I'm sure that I lose a lot of time to work with this and I guess I'm not alone.

Why you don't develop a system where it is possible to be logged in as a specific person (with the own special rights) while I'm holding a finger on a fingerprint reader, built in a mouse button? If I’m taking the finger from the button because of writing something, it could start the IR-Face-ID-Cam. The cam could hold the login for a special time (i.e. 1 or 2 minutes). If the time is out it should be possible to be able to write in the already open mask but lose my rights to save things / work until I’ve the correct authority over the fingerprint or IR-Face-ID-Cam.

You’re a big company and can develop those things. Maybe it is a unique selling proposition for you, working without limits (within your given rights) and saving a lot of time!?

Just an idea

Best regards
Matthias

Hi

I'm not sure if I'm on the right place and I'm just a normal user.

I've to change my passwords every few weeks and must change it in every device. I’ve to write it every time while I’m working on different levels on another computer. The passwords become longer and longer and more and more complex. The topic "passwords in a company" or even on a private System needs a lot of time over a year. I have a long password with all kinds of Extras in it and I'm not that bad on a keyboard but I'm sure…

When using the interactive Windows Certificates snap-in, a 3rd very important cert target store type can be selected:
One can select "my user account", "computer account" and "service account" as target for certificates.

xCertificateImport currently seems to only support 2 target store types:
Location: 'LocalMachine' or 'CurrentUser'

As an admin it would be very cool to be able to also use xCertificateImport to also manage service-related certificates, as there are otherwise no PowerShell means to do so and the GUI cert tool is a PITA, as its not scriptable. And there are Microsoft own services out there that needs such certificates. For example Microsoft AD LDS uses certificates stored in the service accounts section for SSL/TLS certificates. e.g. in:
[HKLM\SOFTWARE\Microsoft\Cryptography\Services\ADAM_inst1\SystemCertificates\My\Certificates]
There seems to be no means to use xCertificateImport to manage that path
(Referring to https://msdn.microsoft.com/en-us/library/windows/desktop/aa388136(v=vs.85).aspx#CERT_SYSTEM_STORE_SERVICES)

(the old fashioned state based Powershell Cert commands seem to have the same deficits, but why not do it right in this command - that would probably need a 3rd parameter Location="service" and a further Servicename="...." parameter)

When using the interactive Windows Certificates snap-in, a 3rd very important cert target store type can be selected:
One can select "my user account", "computer account" and "service account" as target for certificates.

xCertificateImport currently seems to only support 2 target store types:
Location: 'LocalMachine' or 'CurrentUser'

As an admin it would be very cool to be able to also use xCertificateImport to also manage service-related certificates, as there are otherwise no PowerShell means to do so and the GUI cert tool is a PITA, as its not scriptable. And there are Microsoft own services out there that needs such…

The security log still recording users activates not added to audit setting and recording permissions not added to be audit, like if you want to audit write only the security log still audit the read & list folder contents which is i don't need to audit and this is make the audit log huge.

Without being able to force the key storage format to the older format this CMDLet only adds confusion for many deployments rather than adding needed functionality as the results of it's work are unusable by most of the existing software.

Give the possibility for admins to increase the numbers of character set combinations. Currently it is 3, but we would like to make it 4 and we can't. We are "forced" to invest in an external party creating custom password filters - from what I am reading in TechNet forums.

SCHannel in Windows Server 2016 TP5 still has RC4 Ciphers and even SSLv3 enabled by default. Which is a complete joke from a security standpoint. If Microsoft doesn't want their server do be insecure by default disable those like every other major vendor has done.

Windows supports two password APIs, change and reset. The change API honors password history, preventing users from re-using recent previous passwords. The reset API ignores password history and allows an administrator or e.g. help desk, to re-use a recent previous password. Add an option in Active Directory to force the reset API to also honor password history. The default should be that this option is disabled, an administrator CAN use a recent password, so it matches expected / current behavior. For Active Directory, this option should be available in the default domain policy and also in each password settings object for granular password policy.

Thanks

Steven

Windows supports two password APIs, change and reset. The change API honors password history, preventing users from re-using recent previous passwords. The reset API ignores password history and allows an administrator or e.g. help desk, to re-use a recent previous password. Add an option in Active Directory to force the reset API to also honor password history. The default should be that this option is disabled, an administrator CAN use a recent password, so it matches expected / current behavior. For Active Directory, this option should be available in the default domain policy and also in each password settings object…

Create a built-in group "Developers" on Windows Server (and domain controllers) and restrict the activity of those users to compile, debug and run their applications. If the developers computer gets compromised then the damage is limited. Unfortunately the effort to restrict "developer" accounts is too error prone.

Following the convention of least privilege, application developers need not be a full blown administrators on their development machines. For example, they don't need to mange users, groups, memberships or even be able to make changes that effect everyone on the host. They do need the ability to compile and debug their software.

Similar to Azure, create roles (aka groups), that would better control what developers can do.

Create a built-in group "Developers" on Windows Server (and domain controllers) and restrict the activity of those users to compile, debug and run their applications. If the developers computer gets compromised then the damage is limited. Unfortunately the effort to restrict "developer" accounts is too error prone.

Following the convention of least privilege, application developers need not be a full blown administrators on their development machines. For example, they don't need to mange users, groups, memberships or even be able to make changes that effect everyone on the host. They do need the ability to compile and debug their software.

MICROSOFT
Please make all your Microsoft products easy to work with PGP.
external server to external server can use DKIM for PGP keys.
and allow your products to work with legit key servers like MIT. make your own key server, if you want to, but share/sync the info back to MIT server(like PGP-DNS).
allow sharing of key servers data, like mirror/sync
allow key servers to use DKIM keys to communicate to external servers.

The whole CA management interface feels so overdue. i know the whole certificate thing wasnt built by microsoft and it pushed into the marked real fast (relatively speaking) so a solution had to be realized quick. The whole topic is very clumsy and involves so many manual steps that it gives lots of admins around the globe headaches. It is also very hard to learn and master due to the wrong tools i think.

The certification management in exchange control panel 2013 seems a step in the right direction. I cant really tell you what to do, but im sure that if the right guys at microsoft sit together, think and talk about this, something great comes out of it.

Dont get me wrong, this really isnt a Microsoft problem here. its a industry wide problem. But Microsoft could bring out a completely revised certification management (client and server) with their next version of windows and roll the dice to change the whole industry here. Just as other competitors have done with multitouch for example.

The whole CA management interface feels so overdue. i know the whole certificate thing wasnt built by microsoft and it pushed into the marked real fast (relatively speaking) so a solution had to be realized quick. The whole topic is very clumsy and involves so many manual steps that it gives lots of admins around the globe headaches. It is also very hard to learn and master due to the wrong tools i think.

The certification management in exchange control panel 2013 seems a step in the right direction. I cant really tell you what to do, but im sure…

There is no way to either view or manage local security policy using PowerShell. It is possible to install a utility such as secedit.exe and make calls out to it, but this should be functionality that resides within native PowerShell cmdlets.
This would greatly ease server management, and in particular allow for viewing settings that would otherwise not be available to people without using a GUI tool.